Articles
BEC Scams: Again, Your Cyber Insurance Won’t Cover Them
- By Andrew Deichler
- Published: 1/26/2016
For more insights on payments fraud, be sure to check out AFP’s latest Treasury in Practice Guide: BEC Scams: Treasury’s Number One Fraud Threat. DOWNLOAD
A Houston-based oil and energy company learned the hard way that cyber insurance does not cover business email compromise (BEC) scams—but they aren’t taking it lying down. AFGlobal Corp. is suing Federal Insurance Co. for refusing to cover a $480,000 loss from a fraud that occurred in May 2014.
In a textbook BEC scam, an individual who claimed to be the AFGlobal’s CEO, Gean Stalcup, sent several emails to Glen Wurm, the director of accounting. The emails informed Wurm that he had been assigned to handle a “strictly confidential financial operation” that took priority over all other tasks. Wurm was instructed to communicate only with “Stalcup” and an attorney from KPMG who was identified as Steven Shapiro.
The “attorney” later contacted Wurm and informed him that he needed him to wire him $480,000 for due diligence fees related to an acquisition in China. He then sent Wurm wiring instructions, and the accounting director complied.
Wurm received no further correspondence from “Shapiro” until almost a week later when he acknowledged receipt of the funds and requested that another $18 million be sent. At this point, Wurm became suspicious.
AFGlobal attempted to recover the $480,000 from its bank, but the money was already gone. And to make matters worse, Federal Insurance Co. ruled that the fraud did not involve a forgery of a financial instrument and was thus not covered under AFGlobal’s policy.
According to Federal’s parent company, Chubb Group, “what defines a Financial Instrument under the Policy is not merely the existence of a written promise, order or direction to pay, but a written promise, order or direction pay that is ‘similar’ to a ‘check’ or ‘draft.’” The insurer added that the emails Wurm received were “in no way similar” to financial instruments as defined by the policy.
Cybersecurity blogger Brian Krebs noted that this is actually the second time in the past year that Federal Insurance has been taken to court after a policyholder was hit by a BEC scam. Medidata Solutions sued the insurer in February after an employee got duped into wiring $4.8 million to a Chinese bank and Federal refused to pay the claim. In that case, Federal argued that the policy only covered hacking, not voluntary transfers of money.
As noted in AFP’s Treasury in Practice Guide on BEC Scams, treasury and finance professionals should not count on their cyber insurance policies to cover BEC scams. As a treasurer from a global development organization explained, “I learned from our insurance group that this isn’t covered as a fraudulent wire because we intentionally sent it.”
The overlooked insurance solution for BEC scams
Fortunately, there is coverage available for BEC scam losses—you just need to know which policy it falls under. During an interview at the 2016 AFP Annual Conference, Tom Reagan, national cyber practice leader for Marsh, explained that currently, BEC scam coverage is available as part of many traditional insurance policies, but not cyber insurance.
“Typically the broad cyber market deals with nonfinancial asset issues; it deals with data, information, things like that,” said Reagan. “But on the crime side and the fidelity side, there are a variety of products that cover business email compromise. So yes, you can buy insurance for that. The market’s not as deep as we would like it to be, but we expect that market to get much deeper in the coming weeks and months.”
While the AFGlobal scam occurred in 2014—before the threat of BEC scams were widely reported—that doesn’t mean everyone is paying attention. Last week, Belgian bank Crelan confirmed that it had been defrauded out of €70 million (about $76 million). Although the bank has not confirmed how the money was stolen, it is rumored to have been the result of a BEC scam.
A Houston-based oil and energy company learned the hard way that cyber insurance does not cover business email compromise (BEC) scams—but they aren’t taking it lying down. AFGlobal Corp. is suing Federal Insurance Co. for refusing to cover a $480,000 loss from a fraud that occurred in May 2014.
In a textbook BEC scam, an individual who claimed to be the AFGlobal’s CEO, Gean Stalcup, sent several emails to Glen Wurm, the director of accounting. The emails informed Wurm that he had been assigned to handle a “strictly confidential financial operation” that took priority over all other tasks. Wurm was instructed to communicate only with “Stalcup” and an attorney from KPMG who was identified as Steven Shapiro.
The “attorney” later contacted Wurm and informed him that he needed him to wire him $480,000 for due diligence fees related to an acquisition in China. He then sent Wurm wiring instructions, and the accounting director complied.
Wurm received no further correspondence from “Shapiro” until almost a week later when he acknowledged receipt of the funds and requested that another $18 million be sent. At this point, Wurm became suspicious.
AFGlobal attempted to recover the $480,000 from its bank, but the money was already gone. And to make matters worse, Federal Insurance Co. ruled that the fraud did not involve a forgery of a financial instrument and was thus not covered under AFGlobal’s policy.
According to Federal’s parent company, Chubb Group, “what defines a Financial Instrument under the Policy is not merely the existence of a written promise, order or direction to pay, but a written promise, order or direction pay that is ‘similar’ to a ‘check’ or ‘draft.’” The insurer added that the emails Wurm received were “in no way similar” to financial instruments as defined by the policy.
Cybersecurity blogger Brian Krebs noted that this is actually the second time in the past year that Federal Insurance has been taken to court after a policyholder was hit by a BEC scam. Medidata Solutions sued the insurer in February after an employee got duped into wiring $4.8 million to a Chinese bank and Federal refused to pay the claim. In that case, Federal argued that the policy only covered hacking, not voluntary transfers of money.
As noted in AFP’s Treasury in Practice Guide on BEC Scams, treasury and finance professionals should not count on their cyber insurance policies to cover BEC scams. As a treasurer from a global development organization explained, “I learned from our insurance group that this isn’t covered as a fraudulent wire because we intentionally sent it.”
The overlooked insurance solution for BEC scams
Fortunately, there is coverage available for BEC scam losses—you just need to know which policy it falls under. During an interview at the 2016 AFP Annual Conference, Tom Reagan, national cyber practice leader for Marsh, explained that currently, BEC scam coverage is available as part of many traditional insurance policies, but not cyber insurance.
“Typically the broad cyber market deals with nonfinancial asset issues; it deals with data, information, things like that,” said Reagan. “But on the crime side and the fidelity side, there are a variety of products that cover business email compromise. So yes, you can buy insurance for that. The market’s not as deep as we would like it to be, but we expect that market to get much deeper in the coming weeks and months.”
While the AFGlobal scam occurred in 2014—before the threat of BEC scams were widely reported—that doesn’t mean everyone is paying attention. Last week, Belgian bank Crelan confirmed that it had been defrauded out of €70 million (about $76 million). Although the bank has not confirmed how the money was stolen, it is rumored to have been the result of a BEC scam.
Copyright © 2024 Association for Financial Professionals, Inc.
All rights reserved.